PDF virus threat

PDF (Portable Document Format) files from Adobe are gaining popularity across the Web as more and more surfers use the free Adobe Acrobat Reader to see documents in the exact format and style the author intended. However, a new virus/worm called Peachy was announced yesterday that uses PDF files to spread itself when users with Adobe Acrobat (the full product, not the free Reader) and Microsoft Outlook open an embedded attachment within an infected PDF file.

Peachy was written by South American virus writer Zulu, and the design history and features of the virus/worm were posted to Bugtraq by the Privacy Foundation's CTO, Richard M. Smith. While Acrobat has had security holes in the past (e.g., last November's CERT advisory on Acrobat for Windows being susceptible to buffer overruns, which Adobe quickly patched), Peachy is believed to be the first virus that uses PDF files to spread itself. Acrobat PDF files can be created with embedded attachments, including VBScript programs, and Peachy comes through as a game where you find peaches. Seeing the game's solution involves double-clicking a file name, and that runs the malicious script (a warning pops up about running attachments, but many people ignore those). Even though Microsoft Outlook's new security deletes all VBScript attachments, since Peachy is hidden inside a PDF file it gets through the filter. Once activated, the worm looks in all Outlook folders and address book entries, grabs the first three addresses for each contact, and sends out up to 100 copies of itself with random subject lines. Even though the worm will run only once on an infected computer (Zulu programmed that limit in by having it check the Windows Registry to see if it was already run), Zulu says, “I even think that this PDF file would be manually sent by many of those users that are never tired of sending stupid jokes. :)”

Sarah Rosenbaum, Adobe's director of Acrobat product management, confirms Zulu's assertion that Peachy does not affect Acrobat Reader, since Reader doesn't recognize attachments in PDF files. She adds that Adobe has no plans to include that functionality in Reader anytime soon. McAfee anti-virus software will also be able to detect Peachy in next week's virus updates. The specter of continued virus writing for PDF files has industry watchers nervous, however. Richard Smith, for instance, worries that Adobe's recent DMCA-related actions against Dmitry Sklyarov could prevent people from doing further research into protecting Adobe products from viruses: “I recommend a bit of caution by anyone looking into this potential security problem in Adobe Acrobat Reader. A conversation with a lawyer might be prudent.”

SAM'S OPINION
This Peachy exploit really points out two major things to me: first, that you really can't ever relax your guard when it comes to the Internet, and second, that VBScript is the perfect example of how giving programmers an easy way to control everything can be a very dangerous move.

Adobe's Rosenbaum said it right: “… Any popular software becomes a target for security attacks and Acrobat has crossed that threshold. It's only been in the last 18 to 24 months that PDF … use has really exploded.” As soon as a certain file type becomes widespread, someone will write an exploit to take advantage of its ubiquity. I've always recommended PDF files to the companies I did Web design consulting for because they preserve the formatting, the Reader program is free, and they're easy to create (if you have Acrobat, you can just print to Acrobat Distiller or click the “Create PDF file” option from most programs' File menus); thus, they're perfect for putting policies, forms, and other essential company documentation on the Web, since they can be put on the Web easily from within the programs they were created in. The full Acrobat program isn't that expensive either, though most people don't need it and therefore don't buy it (which is the only thing that will stop Peachy from spreading like wildfire). Peachy also shows how difficult it is for Microsoft to install any security filter in Outlook that can't be defeated without eliminating the concept of e-mail attachments. Embed your VBScript program or whatever in a PDF or Zip file and you've beaten Outlook's filters. Scary.

I've harped on people not using Outlook before so I won't reiterate. But Peachy once again shows how VBScript's hooks into Microsoft products can really cause trouble, even though they were designed for easy (and useful) coordination among programs.

This is a risk across the board(9:50am EST Wed Aug 08 2001)Let's face it. The more capabilities and power that you give a computer the more likely it will be expoited for malicious use.

Sam states the usual complaints about VBScript which I totally agree with. But, lets be honest, the same nefarious activities could also be accomplished on other systems using Perl or maybe Java. These are not seen much simply because most of the systems on the net do not support Perl but, that doesn't make it any less of a risk.

Security within the operating system does reduce the risk of such exploits but, we all know that most people's security practices are weak or even nonexistent.

Vigilance and education are the only solutions and even then it wil be difficult to keep up with. The other solution is to disconnect the systems from the net but, who's willing to do that? Viruses and worms will be with us from now on, we just have to get use to it.

Funny how…(10:29am EST Wed Aug 08 2001)… the consequences of one decision made by Adobe could possibly prevent people from being able to work on fixes for it. Just another reason why the DCMA has gotta go. I wonder if Adobe could find a way to twist the DCMA around to apply to Zulu if he ever comes to the USA… heh… – by bleh

This virus…(10:32am EST Wed Aug 08 2001)… sucks for Kinko's… they insist the digital files be in a PDF format when they e-mail a job over, and they have the full software, not just the reader. The only thing on their side that I've see, is the fact that the one's I've been to all seem to use Netscape (or “Nutscrape”, as some like to call it) for checking the branch mail. Of course, I'm sure at least one of their thousands of branches use Outlook. Can you just see the headlines now, “Kinko's brought down by PDF virus”? HA! – by bleh

Re:Rax really Sucks(11:02am EST Wed Aug 08 2001)Thanks – by Rax

Re:De@d St0p(11:09am EST Wed Aug 08 2001)Acrobat for linux ans Unix is not effected so it looks like it is only a Microsoft problem.We are almost seeing 1 hack a day into the MS OS.

I can't wait to see tomorrows Microsoft hack of the day. – by Rax

Run once?(11:12am EST Wed Aug 08 2001)According to Zulu's commentary on the sites linked above he did this virus as a “proof of concept” since his other idea with “better spreading capabilities” was stalled. I guess that's why he was kind enough to have it run only once on a computer.

But still, all I can think of is why? If it takes the time and talent to do this, and his only reward is attention, then why not develop something more useful? I guess it's just another intellectual exercise. – by Ziwiwiwiwiwiwiwiwi

re: Rax(11:19am EST Wed Aug 08 2001)It looks like most of these worms/virii are related to Outlook, not Windows itself, and then most of those are related to file attachments. As noted above once software becomes popular enough it becomes a target for attack. I imagine any software that becomes popular enough will be a target, regardless of how “secure” it may appear. – by Ziwiwiwiwiwiwiwwiwi

Virus writing(11:23am EST Wed Aug 08 2001)the only one I ever wanted to write was a virus that modified the bios routines to randomly slow down or lock up the machine until I realized BG and CO had already done the same thing with windows. they also were able to get everyone on the planet to buy a copy.

Who can compete with that. – by OldGeek

Get over it(11:33am EST Wed Aug 08 2001)MS is not the Devil. Get over it. If the vast majority of people used *nix or any other OS, hackers would be hitting it instead. I'm so tired of everyone blaming MS because someone writes something damamging. An OS's main purpose is to run applications. The OS does not care if the app does good or bad. I don't see anyone blaming Ford when some kid puts sugar in their gas tank.– by ArcherB

Other PDF Readers(11:52am EST Wed Aug 08 2001)Aren't there other PDF readers out there? What about them? – by Tobban

The problem with MS products is that any one with limited knowledge can write very detrimental viruses. With the adoption of macros on windows and other MS apps, any one with a pirate copy of VB and a few books can do some major damage with only a few lines of code. MS has made the job of virus writers simple by giving too much access to the OS via applications. And yet at the same time, they give little control to the user. Maybe they did it accidentally when they were scrambling to cover up all the stolen code in their products.

The problem with MS products is that any one with limited knowledge can write very detrimental viruses. With the adoption of macros on windows and other MS apps, any one with a pirate copy of VB and a few books can do some major damage with only a few lines of code. MS has made the job of virus writers simple by giving too much access to the OS via applications. And yet at the same time, they give little control to the user. Maybe they did it accidentally when they were scrambling to cover up all the stolen code in their products. – by evildead

Re: PDF readers(12:49pm EST Wed Aug 08 2001)I'm not sure, But it doesn't effect the reader, only the full version.

Oldgeek — I think you are crazy. I doubt MS or anyone else modifies the BIOS on any computer.

I can't wait till Linux takes over (if it ever does) then I can say, “I told you so”. There will be plenty of viruses for Linux, as soon as someone actually sees it as a target – by Etcetera

sad not mad(1:26pm EST Wed Aug 08 2001)it seems to me that people should be kicking themselves when they get a virus like that. If you want to open each attachment to play a little game, then you deserve to get the virus. Instead of getting angry and howling for blood (MS or any other) maybe you should look somewhere between the chair and the keyboard for the real problem. – by Aliethel

RE: To the Fake RAX(2:27pm EST Wed Aug 08 2001)I avoid using MS Products as much as possible. Apple Works 6 has new readers that can read and save MS Office and MS Works format. I can do my work and share it with people that still seem to hold on to faulty products. I know that most of us are force fed the OS that sits in our Cubes but there are options. Now that Apple has moved to a UNIX based OS… there absolutely no reason to waste time with an inferior one. – by evildead

VB should have learned from Java(3:02pm EST Wed Aug 08 2001)Java has security features like the sandbox that will stop bad programs from taking over your system. – by E J

True, but Ford doesn't equip every car it makes with a funnel and bag of sugar as standard

From stuff I've seen elsewhere (can't vouch for it 100%), this worm uses Acrobat to bypass the Outlook filters, Outlook to source its new attack data, and ActiveX code to access the registry (interesting that this one has “immunity” built in).

Who the hell decided it would be a good idea to let ActiveX edit something as fundamental as the Win registry WITHOUT USER KNOWLEDGE? – by TallTroll

Dam good point TallTroll(12:23pm EST Thu Aug 09 2001)Dam good point. Like I said earlyer. MS apps give far too much access to the OS – by evildead

Yes(9:48pm EST Sun Aug 12 2001)Yes I agree When did the OS or any hardware understand anything..After all don't the just do what they were Instructed to do. You run the risk if you go on the internet.Not microsoft's fault that some people choose to write these viruses,trojans,worms ect..It is the writers..Not the OS or it's manufacturer.I have found the best way to avoid the Outlook viruses is to just not install MS Outlook or Outlook express– by D9